3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds

Darren Tucker dtucker at zip.com.au
Wed Nov 19 01:09:18 EST 2003

"Edgar, Bob" wrote:
> It works for the "yes" case but not for the "without-password" case.
> The function that checks (auth_root_allowed(auth_method) is special
> cased for "password". The Pam case sends "keyboard-interactive/pam"
> which like all other authentication methods except password succeeds.
> Here is a patch to make it work for me. Please feel free to criticize
> as appropriate.
[snip patch]

The catch is PAM might not use any kind of password, it might use a
super-secure two-factor authentication or something.  In that case,
"without-password" would be misleading.

Maybe we need a more general "AllowedRootAuthMethods" option?  Maybe not. 
Perhaps "PermitRootLogin pubkey-only"?

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list